Quantum key distribution based on arbitrarily-weak distillable entangled states 
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States with private correlations but little or no distillable entanglement were recently reported. 
Here, we consider the secure distribution of such states, i.e., the situation when an adversary gives 
two parties such states and they have to verify privacy. We present a protocol which enables the 
parties to extract from such untrusted states an arbitrarily long and secure key, even though the 
amount of distillable entanglement of the untrusted states can be arbitrarily small. 



Suppose Alice and Bob shared a maximally entangled 
state, say, an ebit -^(|00) + |11}). Clearly, they can gen- 
erate a private key directly by measuring their state in 
the Z-basis, without any classical post processing. Are 
there other types of states with similar key-generating 
ability? Surprisingly, the answer is yes. Reference [jj 
gives a necessary and sufficient condition for a state to 
generate a key by a direct measurement in the computa- 
tional basis - it must be some twisted version of a maxi- 
mally entangled state called the pbit (private bit). 

Now suppose Alice and Bob are unsure what state 
they're sharing. A striking feature of entanglement is 
that, it can be verified and distilled 2]. Thus, Alice and 
Bob can first generate near-perfect ebits and then a pri- 
vate key. The best known means to achieve quantum 
key distribution (QKD) via noisy, untrusted channels or 
states is distillation of ebits. It is then natural to try to 
go beyond this, by asking whether noisy and untrusted 
pbits can similarly be distilled or verified. 

The distillation of pbits was consider in 0, |j| when 
Alice and Bob know they share identical copies of some 
quantum states. However, can we achieve QKD with 
noisy or untrusted pbits? In this paper, we provide a 
positive answer by the explicit construction of QKD pro- 
tocols based on noisy pbits and by proving their un- 
conditional security (against the most general attack al- 
lowed by quantum mechanics). The protocol essentially 
involves checking bit and phase errors, with phase er- 
rors being checked using a sub-linear number of ebits. 
In the case when an adversary claims to give the parties 
copies of ideal private key, which is always distillable, 
this sub-linear number of ebits can be obtained by ap- 
plying an initial distillation protocol on some of the key 
states. However, there are also states which approximate 
pbits, yet contain no distillable entanglement pj. For 
these states, our protocol requires a sub-linear amount 
of ebits as an extra resource. 

We will begin with a review of known properties of 
pbits. We then introduce the protocol, and prove its 
security. Our security proof also relies on the compos- 
ability of distillation protocols, and we provide a proof 



in the Ben-Or-Mayers model 4]. 

Private states, twisting, and their properties 

Suppose Alice and Bob share a quantum state pab 
and the eavesdropper Eve has the purification (with her 
reduced density matrix denoted by pe). We say that 
Pab contains ideal security if and only if there is a local 
measurement taking it to some ideal ccq state 
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signifying that Alice and Bob each has a copy of the 
key i that is uncorrelated with Eve. The class of states 
containing ideal security in this sense has been fully char- 
acterized in the following way: 

Theorem 1 0, 0/ Any state Paba'B' °f a Hilbert space 
Ti-A ®T~La' <8 7~Cb ® Ti-B' with dimensions oIa = d, ds = d, 
and arbitrary dA> , ds> , gives an ideal ccq state after mea- 
surement in the computational basis on the AB subsystem 
if and only if 

1 d_1 

PABA'B' = "J X! l")0*iUs <B> UiPA'B'Uj (2) 
i,j=0 

where Pa'B' is an arbitrary state of the subsystem A' B' 
and the Ui 's are arbitrary unitary transformations. 

We will refer to a state of the form J2J as a "private 
state" or a "gamma state" or a "pdit" (and pbit when 
d = 2). Following the convention of we will call 
subsystem AB the "key part" of the pdit and A'B' its 
"shield." These definitions are summarized in Figure 1. 

Due to Theorem^ the distillable key Krj of a quantum 
state a can naturally be defined as the maximum ratio of 
the logarithm of the dimension d of the output pdit to the 
number of copies of a used, and the ratio is maximized 
over asymptotic LOCC protocols 0,0. 

Recall that any private state is a "twisted" maximally 
entangled state |]J,|3|, with the twisting operation defined 
as 

U (2] =Y.\v)^\ab®uI a , b , (3) 

ij 
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FIG. 1: A private state Paba'b' with purifying system E. 
The "key part" (AB) after a complete von Neumann mea- 
surement gives an ideal key, which is secure due to the fact 
that Alice and Bob hold the "shield" part (A'B'). 

where Ua — Ui as defined in (J2J). Since twisting is re- 
versible, we can see this in reverse: any pdit can be 
turned into a maximally entangled state on AB and some 
(global) ancillary state pa'B' on A'B' by a certain twist- 
ing operation. More formally: 

Observation 1 Consider any private state paba'B' of 
the form @) and the twisting defined as in |3J). is 
called a "global untwisting" - it takes PABA'B' in 0) into 
a state 

P+ <8> PA'B' (4) 

called the basic pdit, where P + = ^ li ^ * s o, 

maximally entangled state on AB and pa'B' is the same 
as in 0). The same state change can also result from 
applying a "local untwisting" defined as 

U W =Y^\i)(i\B®U} iA , Bl . (5) 

i=0 

Note, that if Bob had access to A' he can transform 
a private state into a basic pdit using local untwisting 
(thus the name "local"). The global and local untwistings 
are respectively subscripted by (2) and (1) (labeling the 
number of control systems). Together with the obvious 
fact that exact teleportation of a system can be viewed as 
an identity map on it, we have the following observation: 

Observation 2 For any state Paba'B', the composition 
of (i) teleportation of A 1 to Bob's side and (ii) local un- 
twisting on BB 1 A' commutes with measurement in the 
computational basis on AB . 
A final property of pbits to review is as follows: 

Proposition 1 |J/ For any private state p, Erj(p)>0. 



Remark This only holds for exact pbits, since one can 
approximate pbits with bound entangled states. 

This concludes our summary for the known results 
on private states in the promise scenario in which Al- 
ice and Bob know that they share multiple copies of a 
certain state. We now switch to the general scenario. 
We will first describe our main protocol for QKD using 
noisy pbits, and then establish its unconditional security 
against the most general attack by Eve. 
The main protocol, M 

There are six major steps in the main protocol: 

• State distribution 

Alice and Bob request n copies of a certain private 
state jab A'B' G B{C d ®C d ®C d A' ®C d B') given by 0. We 
consider the most general attack where the 7 states are 
distributed by Eve. Therefore Alice and Bob may have 
an arbitrary joint state over all n systems. Without loss 
of generality, we take dA' < ds 1 and assume compression 
has already been performed on subsystem A' to reduce 
its dimension. 

• Partial distillation 

Alice and Bob randomly choose k out of n systems 
and run a distillation protocol that would return (m x 
log dA') It || ebits if the input were indeed 7® fc . Alice 
and Bob estimate the quality of m x log dA' of those un- 
trusted ebits using the other t, say, using the Lo-Chau 
protocol 0- Here, t is based on a quality parameter 
< e < 1, such that they abort the protocol with high 
probability if the fidelity between the untrusted and ideal 
ebits is less than 1 — e. 

• Random sampling, untwisting, phase-error estimation 
Upon passing the test, Alice and Bob will have n — k 

systems and m x logd^' distilled ebits. They pick a ran- 
dom subset of m out of n — k systems, and Alice teleports 
the m A' subsystems to Bob using the m x logd^' dis- 
tilled ebits. To each teleported A' (together with his 
local corresponding system BB') Bob applies the local 
untwisting for 7, as in lf5|. to obtain m "untwisted" 
systems. On the m "untwisted" systems Alice and Bob 
measure a x on A and B and share the results to effect 
a measurement of \a x ® <t x ]ab ® Ia'B' and estimate the 
phase- flip error rate e x . 

• Random sampling and bit- error estimation 

They pick another random subset of m out oin — k — m 
systems and measure o~ z , share their results, and effec- 
tively measure [a z ®g z\ab®I A' B' • This time, they obtain 
the bit-flip error rate e z . 

• Raw key generation 

If both e x and e z are reasonably small, Alice and Bob 
generate a raw key from the n — k — 2m remaining sys- 
tems by measuring [a z ® o z ]ab ® I A' b> on each of them. 
Otherwise, they abort the protocol. 

• Error correction and privacy amplification 
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On the raw key, Alice and Bob perform the two-way 
Gottesman-Lo classical error correction and privacy am- 
plification [ljj ~ repeated concatenation of BXOR and 
three-qubit phase code followed by one-way error correc- 
tion/privacy amplification (ec/pa) procedure. | 

We comment on some aspects of this protocol. First, 
Alice and Bob can perform any distillation protocol, even 
those assuming tensor power input state 7® fc (e.g. the 
"hashing" protocol of This is because having per- 

formed such protocol Alice and Bob subsequently check 
the quality of the distilled states. Second, we do not 
have to assume that the specific jaba'B' is distillable - 
instead, it is guaranteed by proposition |QJ for all private 
states. Third, in the phase-error estimation, the local 
untwisting operation can be replaced by any global un- 
twisting. While these two options are equivalent for per- 
fect private states, they are generally different outside of 
the promise scenario. The global untwisting requires the 
extra teleportation of the A subsystem and thus the dis- 
tillation of to x log d additional ebits, but can give higher 
rate than using local untwisting (e.g. as in case of the 
mixture of two orthogonal private states (lif - ). 
Proof of unconditional security of main protocol 

Before stating the proof, we discuss the ideas behind it. 
The unconditional security of M is by reduction to that 
of the Lo-Chau protocol [9| based on entanglement purifi- 
cation. This reduction is possible because private states 
are "twisted maximally entangled states." Thus, the first 
step in the proof is to realize that, if Alice and Bob could 
(locally) untwist all n systems, Alice and Bob share some 
noisy maximally entangled states on the AB subsystems, 
and standard techniques 0, 0, 0] apply so that the 
scheme is secure. The second step is to realize that Alice 
and Bob do not need to untwist most of the systems, ex- 
cept for those used in phase error estimation, and those 
are indeed untwisted in the main protocol M. This is 
because the untwisting is followed by the entanglement 
purification schemes and then measurements |3, llOt Il3| , 
a sequence of operations that can be replaced by mea- 
surements followed by classical postprocessing. But by 
observation |21 the measurements can be done before un- 
twisting, which is then unnecessary. These replacement 
are security-preserving, so that we obtain the desired se- 
curity of the main protocol. 

For clarity we will first assume Alice and Bob per- 
form errorless teleportation and local untwisting, and 
then consider the case when these operations are only 
performed with certain fidelity. 
(i) The case of ideal quantum operations 
• Security of fully untwisted protocol M\ from 

Let us first consider another protocol Mi that dif- 
fers from the main protocol only by an additional step 
of untwisting (teleporting A' and local untwisting) the 
n — k — to systems before the measurements in bit-error 



estimation and raw key generation. We now show that 
Mi is unconditionally secure. Since Alice and Bob have 
performed all untwisting operations in Mi , they can trace 
out the A'B' subsystems, which is equivalent to giving 
these subsystems to Eve and can only decrease secu- 
rity. Thus, without loss of generality, the input to Mi 
can be taken to be 2-qubit noisy maximally entangled 
states, and results based on entanglement purification 
procedures are directly applicable. In particular, using 
[2|, if the bit and phase error rates are well estimated, 
the appropriate entanglement purification procedure will 
give a secure key. The efficient error estimation of 0] 
provides good estimate of error rates that would have 
occured if the rest of states were measured along the 
Bell basis. Thus, after estimating the error rates, Alice 
and Bob could apply an appropriate two-way distillation 
procedure and obtain a secure key by measuring in bit 
basis. Now, 01 a ls° states that this can be done by 
first measuring in bit basis, and then performing ec/pa, 
which gives our Mi protocol. Since the Gottesman-Lo 
procedure assures a secure key, we conclude that Mi is 
unconditionally secure. 

• Security of main protocol M from that of Mi 

Recall that M and Mi only differ in the additional 
untwisting on the systems used in the bit-error estimation 
and the raw- key generation steps. We now show that the 
extra untwisting is unnecessary for the security of Mi. 
Observation [21 tells us that untwisting commutes with 
measurement in the computation basis. Hence it cannot 
change measurement outcomes obtained in the bit-error 
estimation step and the raw key generation steps, and 
thus the values of the estimated bit-error rate and the 
raw key. It follows that untwisting of these n — k — m 
systems does not effect the value of the final key and it is 
unnecessary. Thus M differs from Mi only by omitting 
the necessary untwisting, and its security follows from 
that of Mi. 

This ends the proof of unconditional security of the 
main protocol in case of ideal operations of teleportation 
and untwisting. 

(ii) The case of imperfect quantum operations 

We now consider the case when Alice and Bob share 
the maximally entangled state and can perform telepor- 
tation and local untwisting only up to some confidence 
level. In other word, we assume that 
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where, as before, P+ is the projector onto a maximally 
entangled state (of appropriate dimension), and a is the 
state produced by the imperfect distillation, Ajf ea/ de- 
notes perfect teleportation of A' and A™° lsy the actual 
transformation accomplished by Alice and Bob. e,ei,£2, 
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are exponential decaying functions in n. Similar nota- 
tion holds for the local untwisting operation in (JSJ. We 
have assumed negligible errors in other operations, such 
as measurements. 

Note that the estimate of the bit error rate is unaf- 
fected by the above errors 10-© ■ Now, we show that 
if the erroneous operations have bounded errors as de- 
scribed above, the probability is small that they observe 
a phase error rate e' x different from what they would have 
obtained (e x ) using ideal operations. This can be proved 
directly or by using a general composability result 

In essence, the composability result Q guarantees the 
following in the Ben-Or-Mayers model: Consider a pro- 
tocol 7r that uses a certain ideal resource k and achieves 
security quantified by a security parameter (this quan- 
tifies the level of insecurity, but we will not go into the 
definition). Suppose there is a subprotocol k' providing 
the resource n with security parameter e K i. Then, the 
protocol 7r' that uses k' (instead of k) will have security 
parameter e^' < e w + e K > . 

Thus, without loss of generality, we can analyze a vari- 
ation of the main protocol that uses ideal ebits instead 
of a obtained from imperfect distillation. If this new 
protocol is secure, so is the original one (up to a degra- 
dation of e in the security parameter). In particular, 
Eve could have jointly attacked the imperfect distillation 
procedure and subsequent steps in the main protocol, 
and the composability result still applies in the Ben-Or- 
Mayers model. It then remains to consider imperfect 
operations (0 and JHJ. 

Let pi n be the state of the n systems distributed 
in the first step of the main protocol, p ou t = 
^untw (^t° lSy (pin)) 7 an d be the ideal local untwist- 
ing defined by 7. By the invariance of norm under unitary 
rotation and by the triangle inequality we obtain 

||C/ (1 Vm[/ (1)t -Po« t ||tr <£l+£2. (9) 

The same procedure consisting of measurements and clas- 
sical postprocessing is then applied to pi n U^ in the 
ideal case, and to p ou t in Alice and Bob's imperfect proto- 
col, leading to the ideal and actual phase error estimates 
e x and e' x . Since the trace norm can only decrease under 
this procedure, the trace distance between the distribu- 
tion of e x and e' x is at most e± + €2, as we have set out 
to prove. This ends the proof of unconditional security 
of the most general version of the main protocol. 
Distilling entanglement versus distilling uncondi- 
tionally secure key 

We will comment now on the distilled/distillable entan- 
glement in the context of our main protocol. We denote 
Kp M (7) as the amount of key obtained in main proto- 
col (M) when Alice and Bob demand n copies of pdit 
7 given that the joint state passes error estimation step. 
We consider also the amount of entanglement distilled in 
that protocol denoted as E^f (7) . 



• Distilled entanglement versus distilled secure key 
For the main protocol one has for any pdit 7: 

E#( 7 )«0. (10) 

This comes from the logarithmical sample size s — 
O(logdlogn) needed to estimate phase error rate in the 
efficient protocol of Lo-Chau-Ardehali ^4|. Thus the 
amount of distilled entanglement per input copy ap- 
proaches zero with increasing n. On the other hand the 
value of Kp M ("f) = c is nonzero by definition. 

• Distillable entanglement versus distilled secure key 

We now compare the distillable entanglement of pdit 7 
with the distillable unconditionally secure key. Below we 
give an example of the states showing K^ M (7) can be 
arbitrarily greater than Euij). It is based on the same 
state for which one has K 15(7) > Ed(j) 0,0]- 
Example Consider the pbit ^aba'B' £ B(C 2 ® C 2 <g> 
C d ®C d ) of the form 0: 

1ABA>B> =p\ll>+){^+\®p s + {l-p)\lll-){^-\®Pa (11) 

where p = 5(1 + 3) an d p s /a ar e normalized projectors 
onto symmetric/antisymmetric subspace. One has for 
this state Ed("/o) < log(l + 3) Ul- This leads to the con- 
clusion that there are states for which the gap between 
distillable entanglement and distillable unconditionally 
secure key is arbitrarily high: 

^ M (7 W )>clogd^ 00 (12) 

E D { 1 f^ d ) < logdlog(l l])^0 (13) 

where in the second inequality we have used additivity 
of log-negativity measure, which is an upper bound on 
distillable entanglement [7|. 

In summary, we introduce protocols for QKD based 
on noisy pbits, which are a generalization of singlets. We 
have found that one can still distill a key in the adversary 
model even when the distillable entanglement is made 
arbitrarily small. Notice that pbits are the most general 
type of states that can give a secure key. Therefore, our 
work generalizes QKD to the most general type of initial 
states. 

A question which arises is whether a truly prepare-and- 
measure scheme exists which does not use the teleporta- 
tion step. One would thus be able to extract a verifiable 
secure key from bound entangled states (i.e. sates which 
have strictly zero distillable entanglement). A protocol 
for doing this using quantum tomography was given in 
|lj, however a security proof was not given. Such a proof 
will be the subject of a future publication. Finally, we 
note that in the case of noisy pbits, the untwisting op- 
eration in our protocol is not known to be optimal (nor 
proven suboptimal). 
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